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Amendments to the Claims : (this Hsting replaces all prior versions): 

1. (currently amended) A method comprising: 

detecting possible security problems at two or more client locations; 

transmitting notice of the possible security problems from the two or more client 
locations across a network in real time to a home location remotely located from the two or more 
client locations; 

determining, at the home location, an anomaly at one or more of the client locations 
based on an analysis of at least the possible security problems at the two or more of the client 
locations, in which detecting possible security problems at two or more client locations, 
transmitting notice of the possible security problems, and determining the anomaly based on the 
possible security problems occur continuously in real time in which the anomaly is not apparent 
from analyzing the possible security problem or problems at only one of the client locations ; and 

trEinsmitting notice of the £inom£ily in red time to the client locations at which the 
possible security problems are detected. 

2. (original) The method of cMm 1 further comprising transmitting notice of the 
anomaly in real time to other client locations that may communicate with the home location over 
the network. 

3. (cancelled) 

4. (original) The method of claim 1 further comprising inspecting a packet that 
arrives at the client location to detect the possible security problem. 

5. (previously presented) The method of claim 1 in which the network comprises a 
virtual private networks. 
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6. (original) The method of claim 1 in which the anomdy includes unauthorized 
access to the network. 

7. (original) The method of claim 1 in which the anomaly includes unauthorized 
access of a resource accessible through the network. 

8. (original) The method of claim 1 in which the anomaly includes unauthorized use 
of resources available through the network. 

9. (currently zimended) An article comprising: 

a machine-readable medium which contains machine-executable instructions, the 
instructions causing a machine to: 

detect possible security problems at two or more client locations; 

transmit notice of the possible security problems across a network in real time to a 
home location remotely located from the two or more client locations; 

determine, at the home location, an anomaly at one or more of the client locations 
based on an analysis of at least the possible security problems at the two or more of the client 
locations, in which detection of possible security problems at the two or more client locations, 
transmission of notice of the possible security problems, and deteiTnination of the anomaly based 
on the possible security problems occur continuously in real time the anomaly is not apparent 
from analyzing the possible security problem or problems at only one of the client locations ; and 

transmit notice of the anomaly in real time to the client locations at which the 
possible security problems are detected. 

10. (original) The article of claim 9 further causing a machine to transmit notice of 
the anomaly in real time to other client locations that may communicate with the home location 
over the network 



11. (cancelled) 
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12. (previously presented) The article of cMm 9 further causing the machine to 
inspect a packet that arrives at the client location to detect the possible security problem. 

13. (previously presented) The article of claim 9 in which the network comprises 
virtual private networks. 

14. (original) The article of claim 9 in which the anomaly includes unauthorized 
access to the network. 

15. (originzil) The article of cMm 9 in which the £inom£ily includes unauthorized 
access of a resource accessible through the network. 

16. (origind) The article of cMm 9 in which the £inom£ily includes unauthorized use 
of resources avziilable through the network. 

17. (currently zimended) A method comprising: 

at a home location in a network, receiving from at least two remote clients indications of 
possible security problems at the clients; and 

determining in real time , at the home location, an existence of an anomaly at one or more 
of the remote clients based on an analysis of at least the indications of the possible security 
problems at two or more of the remote clients, in which receiving indications of possible security 
problems from the at least two remote clients and determining the zinomzily based on the 
indications of the possible security problems occur continuously in rezil time the anomaly is not 
apparent from analyzing the indication or indications of possible security problem or problems at 
only one of the remote clients . 

18. (previously presented) The method of claim 17 further comprising transmitting 
notice of the existence of the anomaly in real time from the home location to the remote clients. 
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19. (previously presented) The method of claim 17 further comprising transmitting 
notice of the existence of the anomaly in real time from the home location to other remote clients 
that may communicate with the home location over the network. 

20. (cancelled) 

21 . (previously presented) The method of claim 17 further comprising transmitting 
information from the home location to the remote clients to help the remote clients identify 
possible security problems. 

22. (origind) The method of cMm 17 further comprising determining the existence of 
the anomaly based on at least information regarding previous £inom£ilies. 

23-27. (cancelled) 

28. (currently zimended) An apparatus comprising: 
a server; 

a first mechanism accessible by the server to determine an anomaly at one or more of a 
pluraUty of cUents based on at least information received from two or more of the clients 
regarding possible security problems, in which the anomaly is determined continuously in real 
time following receipt of the information from the two or more clients not apparent from 
analyzing the possible security problem or problems at only one of the clients ; £ind 

a second mechzinism accessible by the server to trzinsmit notice of the anomaly in real 
time over a network to the clients. 

29. (previously presented) The apparatus of claim 28 in which the first mechanism 
determines the anomaly based on at least information regarding previously determined 
anomalies. 

30. (currently amended) A system comprising: 
two or more client terminals; 
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a server; 

for each of the client terminals, 

a first client mechanism accessible by the client terminal to detect a possible 
security problem at the client terminal, 

a second client mechanism accessible by the client terminal to transmit notice of 
the possible security problem across a network in real time to a server remotely located from the 
client terminal, and 

a third client mechanism accessible by the client terminzil to receive updates from 
the server in real time regarding security problems that the first client mechzinism may use in 
detecting possible security problems; 

a first server mechanism accessible by the server to determine an anomaly at one or more 
of the client terminals based on at least information received from the two or more client 
terminals regarding possible security problems, in which the anomaly is determined continuously 
in real time following receipt of the information from the two or more clients not apparent from 
analyzing the information regarding possible security problem or problems at only one of the 
remote client terminals ; and 

a second server mechanism accessible by the server to transmit notice of the anomaly in 
real time over the network to the client terminzils at which the possible security problems are 
detected. 

3 1 . (original) The system of claim 30 in which the first client mechanism is also 
configured to monitor packets that arrive at the client terminal for the possible security problem. 

32. (original) The system of claim 30 in which the first server mechanism is also 
configured to determine the anomaly based on at least information regarding previously 
determined Einomalies. 

33. (original) The system of cMm 30 in which the second server mechanism is also 
configured to transmit notice of the anomaly in real time to other client locations that may 
conmiunicate with the server over the network. 
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34. (previously presented) The system of claim 30 further comprising firewalls 
located between the client terminals and the server and configured to act as an intermediary for 
information flowing between the client terminals and the server. 

35. (previously presented) The system of claim 34 in which at least one of the 
firewalls includes a corporate server. 

36-39 (cancelled) 

40. (currently zimended) A method comprising: 

at a server, receiving from at least two remote clients indications of possible security 
problems at the clients; 

determining in real time , at the server, an existence of an anomaly based on the 
indications of the possible security problems from the at least two remote clients, in which 
receiving indications of possible security problems from the at least two remote clients and 
determining the existence of the anomaly based on the indications of the possible security 
problems occur continuously in real time the anomaly is not apparent from analyzing the 
possible security problem or problems at only one of the remote clients ; and 

sending in real time, from the server to the remote clients, information for updating 
firewalls protecting the remote clients to account for the anomaly. 

41. (currently amended) A method comprising: 

detecting possible security problems at two or more client locations; 

transmitting notice of the possible security problems across a network in real tim e 
to a home location remotely located from the client locations; 

determining, at the home location, an anomaly at one or more of the client 
locations based on the possible security problems by searching for particular information in the 
anomaly, the particular information including at least one of a network address previously noted 
as a security problem and a particular query or command associated with a known intrusion 
pattern or technique, in which detecting possible security problems at the two or more client 
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locations, transmitting notice of the possible security problems, and determining the anomaly 

based on the possible security problems occur continuously in real time the anomaly is not 
apparent from analyzing the possible security problem or problems at only one of the client 

transmitting notice of the anomaly in real time to the client locations. 

42. (previously presented) A method comprising: 
detecting a possible security problem at a client location; 

transmitting notice of the possible security problem across a network in real time to a 
home location remotely located from the client location; 

determining at the home location an anomaly by at least comparing the possible security 
problem with information previously logged at the home location, including searching for a 
successful but unexpected login; and 

transmitting notice of the anomaly in real time to the client location. 

43. (cEincelled) 

44. (cEincelled) 

45. (previously presented) The apparatus of cMm 28, further comprising at least one 
of a human immune mechzinism to collect information on users, £ind a fingerprinting mechanism 
to check and store names and addresses associated with security problems. 

46. (previously presented) The apparatus of claim 28, further comprising a wide view 
mechanism to collect and maintain information regarding anomalies reported to the server by the 
clients. 

47. (previously presented) The apparatus of claim 28, further comprising a statistics 
mechanism to compute and store records of anomalies. 
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48. (previously presented) The method of claim 40, further comprising at least one of 
collecting information on users by using a human immune mechanism and checking and storing 
names and addresses associated with security problems by using a fingerprinting mechanism. 

49. (previously presented) The method of claim 40, further comprising computing 
and storing records of £inom£ilies by using a statistics mechzinism. 

50. (previously presented) The method of claim 41, further comprising updating, in 
real time, a firewall protecting the client location to account for the anomaly. 

5 1 . (previously presented) The method of claim 42, further comprising updating, in 
real time, a firewall protecting the client location to account for the anomaly. 

52. (previously presented) The method of claim 42, in which searching for a 
successful but unexpected login comprises searching for at least one of a login at an unexpected 
hour, a login from an unexpected location, and a login from an unexpected user. 

53. (previously presented) The apparatus of claim 28, further comprising a 
complexity theory mechanism to store and perform complex analysis of anomaly trends. 



